Smucker's breached, possible ties to other high-profile attacks
Customers were notified that their personal information may have been compromised.
The J.M. Smucker Company, an Ohio-based producer of fruit spreads and beverages, has shut down its Online Store following a data breach affecting its customers' personal financial information.
According to a letter sent to individuals whose data may have been compromised, the company was “made aware” of the breach on February 12, 2014, and affects anyone who made a purchase on its Online Store between December 2012 and January 2014.
The data obtained by miscreants may have included customer names, addresses, email addresses, phone numbers, credit and debit card numbers, as well as expiration dates and verification codes.
“We are extremely disappointed this incident occurred and sincerely apologize for any inconvenience this may cause,” Richard Smucker, CEO of the J.M. Smucker Company, wrote in a statement posted on the Online Store website. “We continue to thoroughly investigate this matter with federal authorities.”
The company is offering two years of free credit protection monitoring for anyone affected by the breach.
In an FAQ addressing the incident, the company alludes to malware that may have swiped the personal information belonging to individuals during their checkout process. This would indicate that the malware utilized in the attack has similar attributes to that of the Zeus trojan, which uses form grabbing – intercepting data submitted into a form field before it's submitted to a website – in order to capture sensitive information.
According to security journalist Brian Krebs, the Smucker's breach is tied to a cyber criminal collective that performed attacks on software giant Adobe, data brokers LexisNexis and Dun & Bradstreet, risk consulting firm Kroll, the National White Collar Crime Center, and credit card processor SecurePay, which all resulted in data breaches.
While some of the previously mentioned breaches were a result of running vulnerable versions of Adobe's web application platform, ColdFusion, Krebs was able to find a reference to Smucker's on a control panel for a ColdFusion botnet that attackers leveraged in 2013 and into this year.
Based on reports of the attack taking place due to a vulnerability on the company's web server, John Pirc, chief technology officer at NSS Labs, believes that they should be held accountable. While end-users should always take precaution and use anti-virus protection, he says it isn't reliable to place responsibilities regarding security on them.
"With the proper procedures, code audits during the system development life cycle, post-production security audits and patches, this 'likely' could have been prevented," Pirc said in an email to SCMagazine.com.
"The trend in breaches for 2014 will be like the movie "Groundhog Day" – we will be reliving the same scenario day after day," he said.